The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

If you want to learn, learn how login systems work and write one yourself (and learn sessions inside out). If you don't know how secure it is - post your script and we'll be more than glad to assist you with it.

If you don't want to learn, I'd have to wonder why you're even on SitePoint.

Jake Arkinstall
"Sometimes you don't need to reinvent the wheel;
Sometimes its enough to make that wheel more rounded"-Molona

seriously you guys, i know more than enough php, and have coded plenty of sites. did i post this in the wrong forum category? or should i have posted it in the Scripts and Online Services category because thats all i want, someone to point me in the direction of a decent login script. when i want to learn sessions and all that, i will, and im sure its not even that difficult, but at the moment, i got to much crap in my head, so can someone please just help me out

if someone came here asking whats a good bloggin script, you wouldnt try to teach him how to code a blog would you?

It's not complicated. It's just a pain, I have to admit. You need, for a decent, non-annoying login system:

Session support

Registration

Registration CAPTCHA prompt

Registration flood detection

Registration logs

Email confirmation for registration

Login page

Logout page

Remember me

Username recovery

Password recovery + password change form

Email address change page

Email confirmation for email change

Password change page

Cookie support check on login (if only cookies are used)

Failed login log

Brute force detection

Captcha prompt once a brute force is detected (better than a complete block, in my opinion, because sometimes people are genuinely trying to guess their username/password because they lost access to their email)

Blocking mechanism past a limit

Temporary session IDs to validate actions that could be hijacked via CSRF (i.e. so logouts can't be triggered via a CSRF)

Redirect-after-login support

Redirect URL validation (i.e. no redirect to /logout.php)

And then... let's not forget: what about all the user administration pages you also need? Permissions support, etc.?

It's not complicated. It's just a pain, I have to admit. You need, for a decent, non-annoying login system:

Session support

Registration

Registration CAPTCHA prompt

Registration flood detection

Registration logs

Email confirmation for registration

Login page

Logout page

Remember me

Username recovery

Password recovery + password change form

Email address change page

Email confirmation for email change

Password change page

Cookie support check on login (if only cookies are used)

Failed login log

Brute force detection

Captcha prompt once a brute force is detected (better than a complete block, in my opinion, because sometimes people are genuinely trying to guess their username/password because they lost access to their email)

Blocking mechanism past a limit

Temporary session IDs to validate actions that could be hijacked via CSRF (i.e. so logouts can't be triggered via a CSRF)

Redirect-after-login support

Redirect URL validation (i.e. no redirect to /logout.php)

And then... let's not forget: what about all the user administration pages you also need? Permissions support, etc.?

All that can be + more customizations can be achieved within an hour on a good day.

On a normal day, with snacks and TV shows in between, and maybe even some online FPS action before taking out the trash, you can achieve this too.

It's a one day project. I don't see what the big deal is here. Do it on a Saturday instead of going out, if it means that much to you.

And sessions aren't that hard to understand. If you just want to know how to use them and not realize how they work (serialization, hashed ids, cookies, etc) - the idea is simple. - Session variables are variables that exist from the moment you created them to the moment you closed your browser.... or... deleted them yourself. You can manipulate, set, change and delete session variables after calling the function session_start() before you send your headers - or if you don't know much about headers - just call that function in the first line of your file.

You can access session variables in the global array, $_SESSION.

Hope this helped. All the rest - Google for it! If you can't understand something, post here and we'll be sure to help you out.

For the record, most of the people here don't use login scripts anyway since we make our own, so that's probably why no one here answered your question. We simply don't know, because we never got into it... So if you want help, there's plenty to go around... But going around the web looking for good scripts isn't what people in the PHP forum do. What we do is submitting our scripts so people like you can download and use them.

So again, if you need help with creating your own system - we'll be happy to assist. If that's not what you're looking for... You'll have to look somewhere else, then.

Learn about the new Retro Framework
Code PHP the way it was meant to be coded!

That's 16 pages, and that's not including all the user management and user permission pages. Throw in 10 more for that. Not to mention, you'd have to write code that's not directly related to the page (permissions API, sessions API if you're using something non-standard, etc.).

Not everyone's day consists of just watching TV and playing FPS games.

That's 16 pages, and that's not including all the user management and user permission pages. Throw in 10 more for that. Not to mention, you'd have to write code that's not directly related to the page (permissions API, sessions API if you're using something non-standard, etc.).

Not everyone's day consists of just watching TV and playing FPS games.

Understand what? The laziness? You'd be surprised how easy it is to find lazy people. If that's the kind of answer you want to get - look in another place.

Everything sk89q mentioned there is can actually be done with many less files, if you don't repeat your code and use logical techniques and conditions.

You know what, if you'd pay me, I'll prove you wrong by completing all of this in under 4 hours of non-intense work.

And I'm sorry I just can't allow myself to ignore the b-comment

Not everyone's day consists of just watching TV and playing FPS games.

Actually, as you could have seen, I was talking about a Saturday you'd do it while obviously giving up on other stuff, if it means so much.

For the record, I'm joining the army in 2 months, lots of interviews almost every day, I am still studying for MCPD tests (70-536 by Microsoft, download the test and tell me if you understand a word of the 230 questions I already memorized by heart), other than that I have to also study a 1,080 pages study book about threading, configuration, application domains, memory allocation, instrumentation, security, globalization and more (and that's just the second of 5 exams), and in between all of that - I write in-depth tutorials in my blog and work to save money to fly with my fiancee just 2 weeks before I leave for the army.

So no, I don't sit around and watch TV and play FPS games all day. I was trying to make a point with a friendly association.

Learn about the new Retro Framework
Code PHP the way it was meant to be coded!

wow dude, no ones attacking you here. its not laziness, i just have better things to do than code a login script which might or might not be good... why is it so hard to understand that id rather use something thats premade and that a lot of other people have used, so i can have peace of mind that its secure

i just have better things to do than code a login script which might or might not be good...

The great geniuses had to learn to read and write.

Franco, I can really see what you mean here. You don't really bother with making yourself better, your current skill is more than sufficient to get the basics done, and why learn anything else if you can grab easily available scripts off the internet?

If that really is your point of view... I think you need to reassess.

Jake Arkinstall
"Sometimes you don't need to reinvent the wheel;
Sometimes its enough to make that wheel more rounded"-Molona

Coming from the mind of a programmer, maybe it's wrong for the original poster to have a belief that a "canned solution" is the proper way through this hurdle, but on the flip side of the coin, maybe this person has a different set of priorities? Maybe he is no web developer? Maybe he has classes to worry about...? Maybe he has a girlfriend...? I mean, c'mon--we all know how much time they consume!

Not everyone has hacked into the Pentagon at age 3 or overthrown the Chinese government with the click of a button on a Saturday before cartoons start.

Just some food for thought guys... Not everyone is a programming God like some of you are around whom we all worship to no end.